CVE-2022-0639: 
JavaScript vulnerability analysis and mitigation

CVE-2022-0639 is an Authorization Bypass vulnerability affecting NPM url-parse versions prior to 1.5.7. The vulnerability was disclosed on February 17, 2022. The issue stems from incorrect conversion of @ characters in protocol in the href field, which can lead to failure to properly identify the hostname (NVD, Ubuntu).

The vulnerability has a CVSS 3.1 base score of 5.3 (Medium), with the following characteristics: Network attack vector, Low attack complexity, No privileges required, No user interaction needed, Unchanged scope, No impact on confidentiality, Low impact on integrity, and No impact on availability. The vulnerability exists in the URL parsing mechanism where incorrect handling of the @ character in the protocol section of URLs can lead to authorization bypass (Ubuntu).

The primary impact of this vulnerability is the potential for authorization bypass through user-controlled keys. When exploited, the vulnerability could allow attackers to bypass security controls that rely on proper URL parsing and hostname identification (Debian, Red Hat).

The vulnerability has been fixed in url-parse version 1.5.7 and later. Various Linux distributions have released security updates to address this vulnerability: Ubuntu has fixed versions for multiple releases including 20.04 LTS (1.4.7-3ubuntu0.1), 18.04 LTS (1.2.0-1ubuntu0.1), and 16.04 LTS (1.0.5-2ubuntu0.1~esm2). Debian has also provided fixes in their repositories (Ubuntu, Debian).